Description
my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account.
Affected products
- F5 / firepass5.4 – 5.4
- F5 / firepass5.4.1 – 5.4.1
- F5 / firepass5.4.2 – 5.4.2
- F5 / firepass5.4.3 – 5.4.3
- F5 / firepass5.4.4 – 5.4.4
- F5 / firepass5.4.5 – 5.4.5
- F5 / firepass5.4.6 – 5.4.6
- F5 / firepass5.4.7 – 5.4.7
- F5 / firepass5.4.8 – 5.4.8
- F5 / firepass5.4.9 – 5.4.9
- F5 / firepass5.5 – 5.5
- F5 / firepass5.5.1 – 5.5.1
- F5 / firepass6.0 – 6.0
References
- MISChttps://tech.f5.com/home/solutions/sol6923.html
- VENDOR_ADVISORYhttp://www.mnin.org/advisories/2007_firepass.pdf
- MISChttp://www.osvdb.org/32736
- VENDOR_ADVISORYhttp://secunia.com/advisories/23627
- MAILING_LISThttp://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051651.html
- MISChttp://www.securityfocus.com/bid/21957